fsebugoutzone.org:9999

       Post ASBoTPfOySnY26Gs6K by justin@ser.endipito.us
 (DIR) More posts by justin@ser.endipito.us
 (DIR) Post #ASBoTIGgTxrp5PeX6O by justin@ser.endipito.us
       2022-11-21T05:07:54Z
       
       1 likes, 0 repeats
       
       Here&#39;s the E2E secure messaging Mastodon App I&#39;ve been working on for the last few evenings: https://gitlab.com/justindthomas/secureline/It&#39;s still just a PoC, so don&#39;t try to use it for anything important. The basic functionality works (authentication to Mastodon, key exchange, encryption of messages, sending and receiving DMs), so I didn&#39;t want to delay putting it out there.It&#39;s a #wasm app built fully in #rustlang using the #yew framework (my first experience with Yew and WASM).
       
 (DIR) Post #ASBoTPfOySnY26Gs6K by justin@ser.endipito.us
       2022-11-21T05:11:13Z
       
       0 likes, 0 repeats
       
       The app can effectively be run fully on your local machine. And in fact, that&#39;s how the oauth callbacks are currently configured. All of the encryption happens in the browser and keys are held in the LocalStorage therein (encrypted using the ChaCha20-Poly1305 AEAD algorithm in the Orion library). KEX is likewise handled with the same library using x25519.
       
 (DIR) Post #ASBoTcM1no1dNmJ5Cy by justin@ser.endipito.us
       2022-11-21T05:14:24Z
       
       0 likes, 0 repeats
       
       I had to make some adjustments to the Orion structs to allow me to hold the asymmetric keys while negotiation takes place. They&#39;re intended to be used in a more synchronous scenario where the request and response happen rapidly, rather than via asynchronous messaging. I think I&#39;m still acting responsibly with the mechanism (i.e., only using the asymmetric keys once and then discarding them), but I&#39;m certainly open to correction.
       
 (DIR) Post #ASBoTmftQnrDOHg5Ym by justin@ser.endipito.us
       2022-11-21T05:16:21Z
       
       0 likes, 0 repeats
       
       Once I&#39;ve worked out the biggest, ugliest bugs (there are many), and improved the interactivity, I&#39;ll put up a server with it running at https://secureline.io. All of the encryption will still happen locally to the browser, but the server will make it easier to access.
       
 (DIR) Post #ASBoTzE0lmHMJZjVPE by justin@ser.endipito.us
       2022-11-21T05:24:33Z
       
       0 likes, 0 repeats
       
       Also, I made one compromise I&#39;m not thrilled about by leveraging the local SessionStore to hold the passphrase-derived key entered at &quot;login&quot; (I put that in quotes because it&#39;s not really  a login - it&#39;s just the input field used to decrypt the local configuration). Because the Oauth negotiation bounces out to the Mastodon server and back, using the session makes things a lot more user-friendly. But it&#39;s not strictly necessary and a paranoid user could strip that out if they wanted.